Online banking securityOnline banking protection

Cybercrime is a growth industry

The results were announced during the Securing Our eCity and Digital Crimes Consortium conferences, revealing for the first time an estimated market size for cybercrime - $6 billion dollars in the year 2010 alone.

FinCEN (the Financial Crimes Enforcement Network, established by the U.S. Treasury Department) has determined that financial cybercrime is the fastest-growing sector of this burgeoning market – measuring a 115% in 2010. The area of greatest concern is fraud in online banking systems; the estimated annualized growth numbers for crimes related to online banking is 30-50%, with the size of losses more than doubling annually.

There is no easy answer, because banks and other financial institutions have no control over the computers which people use for online banking. Hackers are aware of this, and are continuously refining their strategies and attack methodologies to maximize success and minimize detection risk.

Online banking Trojans

The standard method for obtaining online banking credentials is social engineering or phishing, often in conjunction with a Banking Trojan. Two of most widespread such targeted malware programs are Zeus and SpyEye, which together have compromised millions of computers since they first appeared.

Zeus

The Zeus Trojan is widely referred to as “the God of all Trojans” in the world of online banking fraud and is estimated to be responsible for about 90 percent of banking fraud worldwide. Individual hackers can fine-tune the Zeus code to target specific information for acquisition. Examples include login credentials for online social networks, email accounts, and, of course, online banking or other online financial services credentials.

According to the FBI’s Operation Trident Breach, just one cybergang concluded 390 successful robbery attempts using ZeuS, representing a total haul of $70 million, out of $220 million targeted over the past 18 months.

Despite its longevity and widespread use, the average detection rate for Zeus using traditional antimalware solutions is just 38.63% according to the Zeus Tracker website.

SpyEye

Released in 2009, the SpyEye Trojan has gained momentum rapidly; it was cheaper for hackers to acquire than Zeus, but offered sophisticated control and targeting mechanisms. With the recent news of a SpyEye and Zeus merger, the potential for more sophisticated banking Trojans is even higher.

The average SpyEye detection rate by traditional antimalware is even lower, at just 28.13%, according to the SpyEye Tracker website

And that’s not the whole story

Early in 2011, a new online banking Trojan named SunSpot has emerged, with infection rates similar to SpyEye and Zeus in North America. The Sunspot Trojan has already been linked to instances of fraudulent losses, according to transaction security firm Trusteer. While it is still very early in the life of this latest banking threat, detection by traditional antimalware is patchy at best. According to a Virus Total analysis conducted by Trusteer, only nine of 42 antivirus programs tested, or 21%, detected Sunspot as of mid-May 2011.

Techniques in use for online banking security

According to Finjan’s Malicious Code Research Center, out of a total of 90,000 potential victims who visited a compromised website, some 6,400 were infected – a “success” rate of about 7.5%. In other words, 1 in every 14 to 15 visitors was victimized. That doesn’t say much for the current effectiveness of online banking security.

Let’s look a little closer at some of the techniques involved.

HTTPS and SSL

Zeus, SpyEye, and other online banking Trojans serve as a heads-up for all those who believe that banking transactions over HTTPS with SSL encryption cannot be intercepted. These techniques are ineffective against MITB (Man –In-The-Browser) attacks, when the victim uses an infected computer for online banking.

SMS authentication

To confirm certain browser transactions, banks send one-time password (OTP) as a text message to the customer’s mobile phone for confirmation. To complete the transaction, the user rekeys the OTP into the browser to authenticate his or her identity.

Mobile devices are a hot target for cybercriminals, because most such devices have little or no security, and their users don’t think about security either.

SMS messages sent to a compromised mobile phone (either a smartphone or even a regular cell phone with Java support) can be redirected to an attacker’s computer, and then replayed on a bank site to manipulate online transactions. The attack is complex and multi-layered, but readily perpetrated, thanks to the sophistication of the Zeus and SpyEye botnets. Such attacks are increasingly lucrative.

Bypassing online banking security

(1.) The user is infected by a Trojan when visiting a compromised website. The site scans the user’s computer for vulnerabilities and, when it finds one, it injects a Trojan.
(2.) By monitoring all the user’s online activity, the Trojan collects and transmits login credentials, phone numbers and other sensitive data to the attacker.
(3.) The attacker sends a phishing SMS to the victim’s cell phone using the number stolen at Step 2. The message is intended to persuade the user to click on a link that will
(4.) upload a mobile Trojan to the user’s cell phone.
(5.) The attacker performs an unauthorized funds transfer using the stolen login credentials.
(6.) The bank sends an SMS with confirmation code to the compromised cell phone.
(7.) The cell phone silently sends this code to the attacker, which is then used to confirm the transaction
(8.) Steps 5-8 can be repeated many times, because the Trojan masks true funds amount and displays only the online banking page the user expects to see.

The same security problems apply to the use of other online banking activities, where communications channels are compromised but the victim continues to see only “normal” online banking screens and confirmation screens that appear to confirm their requests.

The best way to secure online banking is to ensure that both the user’s computer and the bank’s systems are in a continuous “known-good” state. Traditional antimalware solutions are fine for dealing with existing infections and known malware code, but to maintain system integrity requires a fundamentally different approach.

Multilayered security is the answer to online banking threats

To really get the best online banking security, users’ must employ a host intrusion prevention system (HIPS) that blocks any unauthorized code from entering or activating on their PCs. While application whitelisting alone offers many of these advantages and has the potential to evolve into strong protection, current implementations require much manual tweaking to be effective and minimize false positives. SafenSoft’s VIPO Proactive Protection technology (Valid Inside Permitted Operations) was developed in large part to overcome this problem.

VIPO combines three levels of protection to deliver comprehensive system and application integrity:

Dynamic Integrity Control (DIC) - Protects all executable software on the system by detecting any unauthorized activation attempt and preventing the process from launching before damage can occur.